[GEN-2110]: update RBAC permissions for UI (#2058)

This pull request includes significant updates to the role and cluster
role definitions in the `cli/cmd/resources/ui.go` file. The changes
primarily involve refining the permissions for various resources to
better align with the required operations.

### Changes to Role and ClusterRole Definitions:

*
[`cli/cmd/resources/ui.go`](diffhunk://#diff-c286e10d34710a80a59127b2b7951e8a33d9b9554e47d2f2b827fd690f2e53abL143-R156):
Updated the `NewUIRole` function to refine the permissions for accessing
`configmaps`, `secrets`, and `odigos.io` resources. This includes adding
comments to clarify the necessity of each permission set.
*
[`cli/cmd/resources/ui.go`](diffhunk://#diff-c286e10d34710a80a59127b2b7951e8a33d9b9554e47d2f2b827fd690f2e53abL231-R230):
Updated the `NewUIClusterRole` function to refine the permissions for
accessing `namespaces`, `services`, `pods`, `replicasets`, and
`odigos.io` resources. Comments were added to explain the purpose of
each permission set.

cli/cmd/resources/ui.go

@@ -140,54 +140,35 @@ func NewUIRole(ns string) *rbacv1.Role {
 			Namespace: ns,
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
-				Verbs: []string{
-					"create",
-					"get",
-					"update",
-					"watch",
-					"patch",
-				},
+			{ // Needed to read odigos-config configmap for settings
 				APIGroups: []string{""},
-				Resources: []string{
-					"secrets",
-				},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "list"},
 			},
-			{
-				Verbs: []string{
-					"watch",
-					"list",
-					"get",
-				},
+			{ // Needed for secret values in destinations
 				APIGroups: []string{""},
-				Resources: []string{
-					"pods",
-				},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list", "create", "patch", "update"},
 			},
-			{
-				Verbs: []string{
-					"get",
-					"list",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{
-					"replicasets",
-				},
+			{ // Needed for CRUD on Odigos entities
+				APIGroups: []string{"odigos.io"},
+				Resources: []string{"instrumentationrules", "destinations"},
+				Verbs:     []string{"get", "list", "create", "patch", "update", "delete"},
 			},
-			{
-				Verbs: []string{
-					"get",
-					"list",
-					"watch",
-					"patch",
-					"delete",
-					"create",
-					"update",
-				},
+			{ // Needed to watch Odigos entities
 				APIGroups: []string{"odigos.io"},
-				Resources: []string{
-					"instrumentaitonrules",
-				},
+				Resources: []string{"destinations"},
+				Verbs:     []string{"watch"},
+			},
+			{ // Needed to read Odigos entities
+				APIGroups: []string{"odigos.io"},
+				Resources: []string{"collectorsgroups"},
+				Verbs:     []string{"get", "list"},
+			},
+			{ // Needed for CRUD on Pipeline Actions
+				APIGroups: []string{"actions.odigos.io"},
+				Resources: []string{"*"},
+				Verbs:     []string{"get", "list", "create", "patch", "update", "delete"},
 			},
 		},
 	}
@@ -228,40 +209,36 @@ func NewUIClusterRole() *rbacv1.ClusterRole {
 			Name: "odigos-ui",
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
+			{ // Needed to get and instrument namespaces
 				APIGroups: []string{""},
 				Resources: []string{"namespaces"},
-				Verbs:     []string{"get", "list", "watch", "patch"},
+				Verbs:     []string{"get", "list", "patch"},
 			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"services"},
-				Verbs:     []string{"list"},
+			{ // Needed to instrument applications
+				APIGroups: []string{"apps"},
+				Resources: []string{"deployments", "statefulsets", "daemonsets"},
+				Verbs:     []string{"get", "list", "patch", "update"},
 			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"configmaps"},
-				Verbs:     []string{"get", "list", "watch", "patch", "create", "delete", "update"},
+			{ // Needed for "Describe Source" and for "Describe Odigos"
+				APIGroups: []string{"apps"},
+				Resources: []string{"replicasets"},
+				Verbs:     []string{"get", "list"},
 			},
-			{
+			{ // Need "services" for "Potential Destinations"
+				// Need "pods" for "Describe Source"
 				APIGroups: []string{""},
-				Resources: []string{"pods"},
+				Resources: []string{"services", "pods"},
 				Verbs:     []string{"get", "list"},
 			},
-			{
-				APIGroups: []string{"apps"},
-				Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"},
-				Verbs:     []string{"get", "list", "watch", "patch", "update"},
-			},
-			{
+			{ // Needed to read Odigos entities
 				APIGroups: []string{"odigos.io"},
-				Resources: []string{"*"},
-				Verbs:     []string{"get", "list", "watch", "patch", "create", "delete", "update"},
+				Resources: []string{"instrumentedapplications", "instrumentationinstances", "instrumentationconfigs"},
+				Verbs:     []string{"get", "list"},
 			},
-			{
-				APIGroups: []string{"actions.odigos.io"},
-				Resources: []string{"*"},
-				Verbs:     []string{"get", "list", "watch", "patch", "create", "delete", "update"},
+			{ // Needed to watch Odigos entities
+				APIGroups: []string{"odigos.io"},
+				Resources: []string{"instrumentedapplications", "instrumentationinstances"},
+				Verbs:     []string{"watch"},
 			},
 		},
 	}

helm/odigos/templates/ui/clusterrole.yaml

@@ -4,73 +4,52 @@ metadata:
   name: odigos-ui
 rules:
   - apiGroups:
-      - ""
+      - ''
     resources:
       - namespaces
     verbs:
       - get
       - list
-      - watch
       - patch
   - apiGroups:
-      - ""
-    resources:
-      - services
-    verbs:
-      - list
-  - apiGroups:
-      - ""
+      - apps
     resources:
-      - configmaps
+      - deployments
+      - statefulsets
+      - daemonsets
     verbs:
       - get
       - list
-      - watch
       - patch
-      - create
-      - delete
       - update
   - apiGroups:
-      - ""
+      - apps
     resources:
-      - pods
+      - replicasets
     verbs:
       - get
       - list
   - apiGroups:
-      - apps
+      - ''
     resources:
-      - deployments
-      - statefulsets
-      - daemonsets
-      - replicasets
+      - services
+      - pods
     verbs:
       - get
       - list
-      - watch
-      - update
-      - patch
   - apiGroups:
       - odigos.io
     resources:
-      - "*"
+      - instrumentedapplications
+      - instrumentationinstances
+      - instrumentationconfigs
     verbs:
       - get
       - list
-      - watch
-      - patch
-      - create
-      - delete
-      - update
   - apiGroups:
-      - actions.odigos.io
+      - odigos.io
     resources:
-      - "*"
+      - instrumentedapplications
+      - instrumentationinstances
     verbs:
-      - get
-      - list
       - watch
-      - patch
-      - create
-      - delete
-      - update

helm/odigos/templates/ui/role.yaml

@@ -2,42 +2,58 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: odigos-ui
-  namespace: {{ .Release.Namespace }}
+  namespace: '{{ .Release.Namespace }}'
 rules:
   - apiGroups:
-      - ""
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - ''
     resources:
       - secrets
     verbs:
-      - create
       - get
       - list
+      - create
       - patch
       - update
-      - watch
   - apiGroups:
-      - ""
+      - odigos.io
     resources:
-      - pods
+      - instrumentationrules
+      - destinations
     verbs:
       - get
       - list
+      - create
+      - patch
+      - update
+      - delete
+  - apiGroups:
+      - odigos.io
+    resources:
+      - destinations
+    verbs:
       - watch
   - apiGroups:
-      - "apps"
+      - odigos.io
     resources:
-      - replicasets
+      - collectorsgroups
     verbs:
       - get
       - list
   - apiGroups:
-      - "odigos.io"
+      - actions.odigos.io
     resources:
-      - instrumentationrules
+      - '*'
     verbs:
-      - create
-      - delete
       - get
       - list
+      - create
       - patch
       - update
+      - delete